Automatically roll out IAM Root Access Management
With the introduction of root access management, AWS organisation owners can now securely manage root account credentials centrally. For some larger enterprises enabling this across the organisation is a slow and click heavy rollout. I will provide steps on how we can automate the enablement and rollout of this across an organisation.
- Check out the hardware MFA key out of the safe location
- Create the account - using IaC
- Reset the password on the account - storing this in a centralised password manager
- Log in to the account and set up the hardware MFA
- Re-check the key back
1
2
3
git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management
cd root-account-management
python3 ./main.py
1
2
3
git clone https://github.com/WPP-Public/aws-root-access-management.git root-account-management
cd root-account-management
python3 ./main.py --skip-signing-certificates
1
2
3
aws organizations enable-aws-service-access --service-principal iam.amazonaws.com
aws iam enable-organizations-root-credentials-management
aws iam enable-organizations-root-sessions
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
aws sts assume-root --target-principal <account_id> --task-policy-arn arn=arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials --duration-seconds 900
# Use the credentials given in the next commands
aws iam get-login-profile
# if exists
aws iam delete-login-profile
aws iam list-access-keys
# iterate
aws iam delete-access-key --access-key-id <access_key_id>
aws iam list-signing-certificates
# iterate
aws iam delete-signing-certificate --certificate-id <certificate_id>
aws iam list-mfa-devices
# iterate
aws iam deactivate-mfa-device --serial-number <serial_number>